Removing local admin from users and adding "Users" group to "Allow log on locally"
Hello, For security reasons we want to remove local admin rights for our users on their work laptops, I have found a way to do this using LAPS. The issue I am experiencing is that for some reason "Users" is not a working local group and it's not added to "Allow log on locally" by default. I added "Gebruikers" (the local users group in Dutch) to the security baseline which sets groups that are allowed to log on locally, this works but the issue is that this policy applies after the LAPS policy so if users get a new laptop and it gets locked they can't log back in and I have to manually change the Group Policy setting with an admin account. I was thinking maybe a remediation script could solve this if it checks for the right Group Policy and adds the device to a specific group for LAPS but I have no idea where to begin. Any tips would be appreciated! Best regards, Nick212Views0likes0CommentsAfter Removing GPO, Intune Policies Not Applying
Part of our fleet remains Entra Hybrid Join (as computers are refreshed, they are Entra Joined instead). We apply Windows Security Baselines through both Group Policy and Intune. Recently, we evaluated the differences between the two baselines and determined they are nearly identical. Accordingly, we decided to disable GPO based security baselines for Entra Hybrid Joined devices and let Intune push security settings for the baseline instead. Here's the expected behavior: Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied. When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 😎 all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied. The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs. However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline. Here's what I've done to try to fix this: Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint. Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied. Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they're not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can't negotiate the timing on this for our whole fleet of computers. Apply the policy that makes MDM policies take precedence over GPOs. This did not work. Here's what we're not willing to try (I'm preempting some of Microsoft's usual boilerplate responses): We will not reset the computers - there are too many for this to be a scalable solution. We will not unjoin and rejoin the computers from MDM - there are too many for this to be a scalable solution. While I'm tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for. Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don't think this is something that will be resolved with time. Any advice would be greatly appreciated!Solved1.4KViews0likes9CommentsIntune disables Tamper Protection by default
We noticed a strange quirk about Intune and have repeatedly tested it across multiple tenants with freshly reinstalled workstations running Windows 10. Normally, Intune much like AD should not apply policies unless given a policy to apply. But we noticed thatby default Intune will always apply a policy to DISABLE Tamper Protection by group policy when devices are enrolled unless you specifically make a configuration profile or otherwise to tell Intune to enable Tamper Protection on end devices. This seems like a strange behavior, and is not documented anywhere in the Microsoft Learn website. Also, if you run the Powershell commandGet-MpComputerStatus you will see thatTamperProtectionSource now gets listed as "Signatures" with no explanation. Again, there is no documentation about this type in Microsoft Learn or any other public KBs. The KBs only had information about other states such as UI, Transition, etc. Is there a way to request Microsoft to provide documentation to fill in these important gaps in their knowledge base?389Views0likes0CommentsHybrid Azure Join
Hello everyone, we want to use the Hybrid Azure Join Now my question is, can we use Cloud GPO's (CSP/ADMX) AND On Prem GPO's? So for example, can I roll out printers via local GPO and software, onedrive settings via Intune from the cloud? Unfortunately I can't find any information here, if Google is not my friend today Best Regards, Phil2.6KViews0likes3Comments